Buy or Renew
Buy or Renew
Cisco Virtual Engineer generative AI bot now active in Wireless Discussion Forum. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
874
Views
10
Helpful
5
Replies

PEAP and certificate.

Go to solution
andrea.meconi
Level 2
Level 2

‎12-20-2010 02:38 AM - edited ‎07-03-2021 07:34 PM

Hello.

I'm using PEAP with Cisco Secure ACS and AD. GPO enables clients to validate server certificate.

How can I deny access to users who have not "Validate server certficate" checked?

Thanks.

Regards.

Andrea

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
tfraij
Cisco Employee
Cisco Employee

‎12-20-2010 02:44 AM

Hello Andrea,

for the validate server certificate , this can be configured on client side only.

there is no configuration on ACS to force that, and you have to configure some policy at your microsoft ( so users can't change this check box :-) )

otherwise you can use EAP-TLS that force using 2 certificates , once on client and one one server ( mutual authentication).

Best regards

Talal

===========
please rate answers that you find useful , and mark as answered - when it is :-) - so others can find it easily

View solution in original post

5 Replies 5

Go to solution
tfraij
Cisco Employee
Cisco Employee

‎12-20-2010 02:44 AM

Hello Andrea,

for the validate server certificate , this can be configured on client side only.

there is no configuration on ACS to force that, and you have to configure some policy at your microsoft ( so users can't change this check box :-) )

otherwise you can use EAP-TLS that force using 2 certificates , once on client and one one server ( mutual authentication).

Best regards

Talal

===========
please rate answers that you find useful , and mark as answered - when it is :-) - so others can find it easily

Go to solution
andrea.meconi
Level 2
Level 2
In response to tfraij

‎12-20-2010 02:54 AM

Many thanks for your help Talal.

I understand that this is not a PEAP issue!

I believe I need to apply a filter on ACS (using a mac-address checked).

Regards.

Andrea

0 Helpful

Go to solution
George Stefanick
VIP Alumni
VIP Alumni
In response to andrea.meconi

‎12-20-2010 07:03 AM

Talal is spot on. If you have a small deployment you could consider mac filtering. However this does become a big management burrden if you have a lot of devices. As mentioned, you can create a policy whereby "locking" the supplicant so that end users can not change "vaildate certificate".

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________

Go to solution
andrea.meconi
Level 2
Level 2
In response to George Stefanick

‎12-20-2010 07:40 AM

Good!

Some users make connections using Apple.

I'm going to evaluate filter.

Other ideas?

Regards.

Andrea

0 Helpful

Go to solution
George Stefanick
VIP Alumni
VIP Alumni
In response to andrea.meconi

‎12-20-2010 08:40 AM

You can still vaildate certs with Apple as well. How many clients do you have?

"Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
___________________________________________________________
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card